Demystifying VPC Endpoints: A Deep Dive into Secure and Efficient AWS Networking

Virtual private clouds (VPCs) are a fundamental building block of AWS, providing a secure and isolated networking environment for your cloud resources. In traditional cloud deployments, resources within your VPC communicate with AWS services through the public internet. However, this approach exposes your resources to potential security vulnerabilities and increases latency.

To address these challenges, AWS introduced VPC endpoints, which enable private connectivity between your VPC and supported AWS services. VPC endpoints eliminate the need for your resources to traverse the public internet, enhancing security and reducing latency. They are particularly beneficial for services that handle sensitive data or require high availability.

Please refer to the previous blog to get the most on AWS VPC - https://racsawsdevops.hashnode.dev/mastering-aws-vpc-cloud-networking

Introduction to VPC Endpoints

VPC Endpoints enable the creation of a private connection between VPC to supported AWS services and VPC endpoint services powered by PrivateLink using its private IP address. Traffic between VPC and AWS service does not leave the Amazon network.

we can use VPC endpoints if we require communication between resources within our VPCs and supported AWS services without the need to cross an Internet Gateway, NAT Gateway, VPN connection or AWS Direct Connect, in other words, it simply means to privately connect AWS services, not over the public internet.

Interface Endpoints use or are powered by PrivateLink to inject into VPC at the subnet level via ENI, giving network interface functionality and therefore, DNS and private IP addressing as a means to connect to AWS public services, rather than simply being routed to it.

Let’s say we have developed an application and hosted that in VPC-A and we would like to enable access to this application to services in other VPCs and other AWS users or accounts, but we don’t want to set up any VPC peering nor use the Internet for that. This is where PrivateLink comes into the picture, using this we can create our own VPC Endpoint service which will enable other services to use our application.

AWS PrivateLink

PrivateLink is a VPC Endpoint service that can be used by us or AWS to allow private access to internal services that provide private connectivity between VPC’s and services, which means accessing services in VPC’s without internet. It solves the problem of needing to expose an application to other VPC’s & other AWS accounts publicly which exposes everything.

AWS PrivateLink uses Network Load Balancers to connect interface endpoints to services. A Network Load Balancer functions at the network transport layer (layer 4) and can handle millions of requests per second.

In the case of AWS PrivateLink, it is represented inside the consumer Amazon VPC as an endpoint network interface.

Customers can specify multiple subnets in different Availability Zones to ensure that their service is resilient to an Availability Zone service disruption. To achieve this, they can create endpoint network interfaces in multiple subnets mapping to multiple Availability Zones.

Key Points about AWS PrivateLink:

• Service Endpoints - PrivateLink creates interface VPC endpoints that are powered by AWS PrivateLink technology. These endpoints appear as Elastic Network Interfaces (ENIs) with private IPs in your VPC.

• Private Connectivity - PrivateLink ensures that traffic between your VPC and the service stays within the AWS network. It doesn't traverse the internet.

• Security and Isolation - PrivateLink enhances the security of your applications by keeping traffic within the AWS network and off the public internet. It also helps in meeting compliance and regulatory requirements.

• Associated with Various AWS Services - PrivateLink is associated with a variety of AWS services like Amazon S3, DynamoDB, Elastic Load Balancing (ELB), and others. Each service that supports PrivateLink has its specific endpoint service name.

• Ease of Use - From the user's perspective, using PrivateLink is transparent. It allows you to access services in a way that's similar to how you access services over the internet.

Types of VPC Endpoints

There are 2 types of VPC Endpoints:

1. Interface Endpoints

   Interface endpoints enable secure and private connectivity to various services through AWS PrivateLink. These services encompass AWS managed services, endpoint services hosted by other AWS customers and partners in their Amazon VPCs, and supported AWS Marketplace partner services. Service providers own the benefits, while service consumers create and use interface endpoints to access those services.

   An interface endpoint is an Elastic Network Interface (ENI) similar to a virtual network card but with a private IP address. The private IP will be from the IP address range of the subnet already specified by the user. This ENI will act as the main entry point for the traffic going to any supported AWS service.

2. Gateway Endpoints

   A gateway endpoint is designed to direct traffic to specific IP routes in an Amazon VPC route table, typically for accessing Amazon DynamoDB or Amazon S3. Unlike interface endpoints, gateway endpoints do not facilitate AWS PrivateLink connections.

   This gateway is targeted for a specific route and is currently supported by S3 & DynamoDB.

   • VPC Gateway Endpoint for S3: Allows communication between instances in your VPC and Amazon S3. This endpoint provides a scalable and highly available connection to S3 without requiring an internet gateway or NAT device.

   • VPC Gateway Endpoint for DynamoDB: Enables you to access DynamoDB tables in the same AWS region using private IP addresses. This avoids the need for internet access and allows secure communication with DynamoDB.

Gateway Endpoints sit inside VPC and are associated with the Route table (Routing) with the “pl” prefix & the target is the Endpoint ID, and all the instances that use the same route table will access the endpoint using the specified “pl” route.

In the below diagram, we can see the overall picture of Interface endpoints and Gateway endpoints as a whole.

Accessing and listing S3 buckets using VPC Endpoint (use case)

Here, we will demonstrate the functionality of VPC endpoints for secure connectivity between a private subnet and AWS services.

Let's break down the steps involved and explain the underlying mechanism:

1. Creation of VPC with Public and Private Subnets

   We will be creating a VPC with two subnets: a public subnet with an internet gateway and a private subnet. This configuration isolates the private subnet from direct public internet access, enhancing security.

   

2. EC2 Instance in Private Subnet

   We launched an EC2 instance in the private subnet. This instance cannot directly access the public internet due to the absence of an internet gateway.

3. Bastion Host for Access

   To manage the EC2 instance in the private subnet, we have used a bastion host located in the public subnet. The bastion host acts as a secure gateway for accessing the private subnet, allowing you to maintain control over inbound and outbound traffic.

   

   Let's try to list the bucket from the private instance before creating any private connection using the VPC Endpoint as we can see in the below screenshot, There is no output coming after we run the aws s3 ls command because there is no connection to retrieve the bucket for now.

   

4. VPC Endpoint for S3 Gateway

   Later, we created a VPC endpoint with the S3 gateway endpoint option as seen in the below screenshot. This endpoint establishes a private connection between the private subnet and the Amazon S3 service.

   

   

   

5. Listing S3 Buckets from Private Instance

   After attaching the VPC endpoint to the private route table, you logged into the private instance and ran the aws s3 ls command. This command listed the S3 buckets accessible to the instance through the VPC endpoint.

   

Working Mechanism:

The VPC endpoint acts as a secure tunnel, enabling the private instance to communicate with S3 without exposing it to the public internet. The endpoint routes traffic from the private instance through the AWS network to the S3 service, ensuring that data remains within the AWS infrastructure and is not exposed to external threats.

Reference Links:

AWS VPC Endpoints whitepapers -

https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html

VPC Endpoints -

https://digitalcloud.training/vpc-interface-endpoint-vs-gateway-endpoint-in-aws/

Conclusion

VPC endpoints are a valuable tool for enhancing security, reducing latency, and simplifying network management in your AWS cloud environment. By leveraging VPC endpoints, you can establish secure private connections between your VPC and supported AWS services, ensuring the confidentiality, integrity, and availability of your data and applications.

Later, we have also seen how can we list the bucket using Gateway Endpoint which demonstrates the effectiveness of VPC endpoints in establishing secure private connectivity between resources in a private subnet and AWS services. This approach enhances security, reduces latency, and simplifies network management, making it an essential tool for cloud deployments that require sensitive data protection and high availability.

Thank you so much for reading my blog! 😊 I hope you found it helpful and informative. If you did, please 👍 give it a like and 💌 subscribe to my newsletter for more of this type of content. 💌

I'm always looking for ways to improve my blog, so please feel free to leave me a comment or suggestion. 💬

Thanks again for your support!

Connect with me -

LinkedIn - https://www.linkedin.com/in/rachitmishra1997/

Twitter - https://twitter.com/racs1997

#aws #awscommunity #cloudcomputing #cloud